A quick search for cloud security in Google turns up hundreds of articles – many of which claim it is one of, if not THE, top reason to avoid cloud computing. You’ve probably seen the headlines – “Cloud is the real culprit for the iPad security hole“, “Will the cloud have its own Deepwater Horizon disaster?,” “Cloud computing risks outweigh rewards,” and the list goes on. It is for this reason that cloud security leads off our Mythbusting Monday series.
Today cloud security tops almost every list of cloud computing concerns – partly because it’s something that should be on the mind of any customer evaluating new technology. But it’s also gaining steam because it’s being used as a crutch for people skeptical about anything new or disruptive, and as a market stalling tactic by vendors who don’t have a solution for this new paradigm. Cloud security isn’t a new topic – I responded to some of the hype almost a year ago in this blog – but it has the potential to unnecessarily hinder adoption and innovation if it isn’t addressed.
Look at Security through the Right Lens
One of the biggest issues is that cloud security is often compared with a company’s ideal security scenario, not what they have in reality. The reality is that less than half of large companies (and very few small to medium companies) employ a CSO or CISO focused on security. Even with a CSO, how many IT organizations can ensure that every server, desktop, and mobile device in the company has the most updated security software and patches at all times? What about the data walking out of your company on laptops, phones or thumb drives? And then there’s your people – some predict social engineering may actually be the greatest security risk of all.
Your world is changing – whether you like it or not – and so should your approach to security
Today’s security mechanism in most companies is to create a moat around the castle – a difficult to navigate buffer zone that locks down access in and out and lets people roam freely once they’re inside the building. That approach costs a lot of money and is getting less and less effective in a world that’s becoming ever more “social” and interconnected. Think about the amount of your data that is stored and shared among your partners, suppliers and remote employees. Or the fact that IT organizations will have less and less control over the devices and applications their employees use at and for work.
For all these reasons, customers are finding security a reason TO move to the cloud, not away from it. For the vast majority of companies where security isn’t a core competency, working with cloud vendors like salesforce.com, Google or Amazon strengthens the security of their data, and allows them to focus on the core aspects of their business. These vendors collectively spend billions on security every year. They hire the best and the brightest in the security industry to ensure their customers, their data and their brand remain untarnished. And they have a whole lot more to lose if a breach does happen – which is why they focus on every single one of the core areas of security that you see in the PwC “Global State of Information Security” graphic here.
Click Image to Enlarge
Plus the leading cloud vendors’ security investment dollar goes further than most as a result of simple economies of scale. From a recent European Network and Information Security Agency (ENISA) cloud computing risk study… “Therefore the same amount of investment in security buys better protection. This includes all kinds of defensive measures such as filtering, patch management, hardening of virtual machine instances and hypervisors, etc. Other benefits of scale include: multiple locations, edge networks (content delivered or processed closer to its destination), timeliness of response, to incidents, threat management.”
It’s the same reason you trust your money to a bank who has more expertise, resources, insurance and reach than you do. It may make you feel better to put your money under your mattress, but there’s a reason why banks are in business. It’s an interesting analogy that my colleague, Ryan Nichols, recently made in his Cloudsourcing blog on Computerworld.
Security will always be important and it should be a topic for debate in this quickly evolving world of cloud computing. But keep in mind that it is also always evolving and will never be perfect (at least not in my lifetime). As such, it shouldn’t be used a reason not to move forward.
A work in progress
Cloud security still has a lot of room for improvement – as does the world of managing security with on-premise systems. But here are some things that make me feel positive about the direction we’re heading:
- The fact that more cloud application and platform providers are demonstrating they’re SAS 70 Type II and ISO 27001 / 27002 compliant. Remember, not every cloud vendor is created equal so ask about these things!
- The work that’s happening in “cloud specific” organizations like Cloud Security Alliance (CSA) and CloudAudit/A6 to create cloud appropriate security standards
- Increasingly balanced perspectives on cloud computing security coming from security organizations such as ENISA and ISACA
- New cloud security products (real ones not re-labeled on-premise stuff) hitting the market every day from vendors like Tricipher, Conformity and Symplified
Mark Tognetti is an Enterprise Architect at Appirio, helping large companies develop and implement a business-driven roadmap to the cloud. Before joining Appirio he was VP of IT Strategy and Enterprise Architecture at a $2.6B fleet management company, and a former Certified Information Systems Auditor at PricewaterhouseCoopers (formerly Coopers and Lybrand).